itlawwikiaorg-20200214-history
Privacy Act of 1974
Citation '''Privacy Act of 1974,' Pub. L. No 93-579, 88 Stat. 1896 (Dec. 31, 1974), codified at 5 U.S.C. §552a (1974) (full-text). Background Before advanced computerized techniques for aggregating, analyzing, and disseminating data came into widespread use, personal information contained in paper-based public records at courthouses or other government offices was relatively difficult to obtain, usually requiring a personal visit to inspect the records. Non-public information, such as personal information contained in product registrations, insurance applications, and other business records, was also generally inaccessible. Indeed, at the time the Privacy Act was being debated and enacted, there were technological limitations on the use of individual records by federal agencies. The vast majority of record systems in federal agencies were manual. Computers were used only to store and retrieve, not to manipulate or exchange information. It was theoretically possible to match personal information from different files, to manually verify information provided on government application forms, and to prepare a profile of a subset of individuals of interest to an agency. However, the number of records involved made such applications impractical. Only a few years later, however, advances in computer and data communication technology enable agencies to collect, use, store, exchange, and manipulate individual records in electronic form. Computer systems and computer networks are now widely used by the federal government, vastly increasing the potential points of access to personal record systems and the creation of new systems. History of the Privacy Act In the mid-1960s, Congress and certain executive agencies began to study the privacy implications of records maintained by federal agencies. The congressional concern with privacy and individual records was precipitated by the 1965 Social Science Research Council proposal that the Bureau of the Budget establish a National Data Center to provide basic statistical information originating in all federal agencies. In 1966, the Senate Committee on the Judiciary, Subcommittee on Administrative Practice and ProcedureU.S. Congress, Senate Comm. on the Judiciary, Subcomm. on Administrative Practice and Procedure, Invasions of Privacy (Government Agencies), Hearings, 89th Cong. (Feb. 1965, June 1966). and the House Committee on Government Operations, Special Subcommittee on Invasion of Privacy,U.S. Congress, House Comm. on Government Operations, Special Subcomm. on Invasion of Privacy, The Computer and Invasion of Privacy, Hearings, 89th Cong., 2d Sess. (July 25, 27, 28, 1966). a held hearings on the proposals for a National Data Center. Both committees were unconvinced of the need for such a center or of its ability to keep data confidential. In 1967 and 1968, the House and Senate again held hearings on the proposal for a National Data Center, and remained unconvinced that such a center could adequately protect the privacy of individual records. The committees and various witnesses feared that once such a center was established, its limited role would not be maintained. There was also great reluctance to condone the centralization of both personal information and responsibility for that information within an executive agency. Although the committees agreed that the existing situation was inefficient, they believed that such decentralized inefficiency was amenable to congressional oversight, whereas centralized efficiency would be more difficult to check. The proposal for a National Data Center was therefore rejected. In 1970, the Senate Judiciary Committee, Subcommittee on Constitutional Rights, chaired by Senator Sam Ervin, Jr., began a 4-year study of Federal Government databanks containing personal information and held related oversight hearings.See U.S. Congress, Senate Comm. on the Judiciary, Subcomm. on Constitutional Rights, Federal Data Banks, Computers and the Bill of Rights, Hearings, 92d Cong., 1st Sess. (Feb. 24-25 and Mar. 2, 3, 4, 9, 10, 11, 15, and 17, 1971, parts 1 and 11). These hearings and the survey of agencies conducted by the Ervin Subcommittee laid the groundwork for the Privacy Act of 1974. In 1972, Alan Westin and Michael Baker, with the support of the Russell Sage Foundation and the National Academy of Sciences, released a report, Databanks in a Free Society, in which they concluded that computerization of records was not the villain it had often been portrayed to be. Their policy recommendations applied to both computerized and manual systems and included: # a “Citizen’s Guide to Files”; # rules for confidentiality and data sharing; # limitations on unnecessary data collection; # technological safeguards; # restricted use of the social security number; and # the creation of information trust agencies to manage sensitive data.”Alan F. Westin & Michael A. Baker, Databanks in a Free Society (1972). In 1973, the Secretary of Health, Education, and Welfare’s Advisory Committee on Automated Personal Data Systems released its report, Records, Computers and the Rights of Citizens,''U.S. Department of Health, Education, and Welfare, Records, Computers and the Rights of Citizens (1973). in which it discussed three changes resulting from the use of computerized recordkeeping: :1. an increase in organizational data processing capacity; :2. more access to personal data; and :3. the creation of a class of technical recordkeepers. It recommended the enactment of a Federal “Code of Fair Information Practice” that would apply to both computerized and manual systems. This code served as the model for the Privacy Act, as well as for the Council of Europe’s 1974 “Resolution on the Protection of the Privacy of Individuals vis~a-vis Electronic Data Banks in the Private Sector."Council of Europe, Resolution on the Protection of the Privacy of Individuals vis~a-vis Electronic Data Banks in the Private Sector (Res(74)29E) (Sept. 20, 1974) (full-text). The major principles of the code include: * There must be no personal data recordkeeping system whose very existence is secret. * There must be a way for an individual to find out what information about him or her is in a record and how it is used. * There must be a way for an individual to prevent information about him or her that was obtained for one purpose from being used or made available for other purposes without his or her consent. * There must be a way for an individual to correct or amend a record of identifiable information about him or her. * Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data. In 1974, in the wake of Watergate, hearings on numerous privacy bills were held in both the Senate and the House.''See U.S. Congress, Senate Committee on Government Operations, Ad Hoc Subcommittee on Privacy and Information Systems, and Committee on the Judiciary, Subcommittee on Constitutional Rights, Privacy — The Collection, Use and Computerization of Personal Data, Joint Hearings, 93d Cong., 2d Sess., June 18-20, 1974. In the subcommittee hearings, there was little disagreement on the need for individual rights with respect to personal information held by Federal agencies. Discussions centered instead on the logistics of enabling individuals to use these rights, and the specific fair information practices that agencies were to follow. The Senate version also provided for a permanent Federal Privacy Board with regulatory powers, while the House version provided no such oversight mechanism. As a compromise, the Privacy Protection Study Commission was created, and oversight responsibilities were given to the Office of Management and Budget. In 1977, the Privacy Protection Study Commission released its comprehensive report, Personal Privacy in an Information Society, which analyzed the policy implications of personal record-keeping in a number of areas including credit, insurance, employment, medical care, investigative reporting, education, and State and local government. Legislative History The entire legislative history of the Privacy Act of 1974 is contained in a convenient, one-volume compilation.See House Comm. on Gov't Operations and Senate Comm. on Gov't Operations, 94th Cong., 2d Sess., Legislative History of the Privacy Act of 1974 — S. 3418 (Public Law 93-579) Source Book on Privacy (1976) [hereinafter Source Book]. The Act was passed in great haste during the final week of the Ninety-Third Congress. No conference committee was convened to reconcile differences in the bills passed by the House and Senate. Instead, staffs of the respective committees — led by Senators Ervin and Percy, and Congressmen Moorhead and Erlenborn — prepared a final version of the bill that was ultimately enacted. The original reports are thus of limited utility in interpreting the final statute, while the more reliable legislative history consists of a brief analysis of the compromise amendments — entitled "Analysis of House and Senate Compromise Amendments to the Federal Privacy Act" — prepared by the staffs of the counterpart Senate and House committees and submitted in both the House and Senate in lieu of a conference report.See 120 Cong. Rec. 40,405-09, 40,881-83 (1974), reprinted in Source Book. at 858-68, 987-94. Provisions of the Act The Privacy Act of 19745 U.S.C. §552a. was implemented to protect the privacy of individuals identified in information systems maintained by federal executive branch agencies, and to control the collection, use, and sharing of information. It The Act governs the collection, use, and dissemination of a "record”The Act defines a record as "any item, collection, or grouping of information about an individual that is maintained by an agency and contains his or her name or another personal identifier." Id. §552a(a)(4). about an “individual”The term individual means "a citizen of the United States or an alien lawfully admitted for permanent residence." Id. §552a(2). maintained by federal agenciesAn agency is defined as "any Executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the federal Government (including the Executive Office of the President), or any independent regulatory agency." 5 U.S.C. §552a(1) (incorporating 5 U.S.C. §552(f) (2000), which in turn incorporates 5 U.S.C. §551(1) (2000). in a “system of records.”The act defines system of records as "a group of records under the control of any agency from which information is retrieved by the name of the individual or by an individual identifier." Id. §552a(a)(5). The Act requires that when a federal government agency establishes or makes changes to a system of records, it must notify the public by a notice in the Federal Register identifying, among other things, the type of data collected, the types of individuals about whom information is collected, the intended “routine” uses of data,Under the Privacy Act of 1974, the term “routine use” means (with respect to the disclosure of a record) the use of such a record for a purpose that is compatible with the purpose for which it was collected. 5 U.S.C. § 552a (a)(7)). and procedures that individuals can use to review and correct personal information. In order for an agency record to be protected by the Privacy Act, it must be retrieved by individual name or individual identifier. The Privacy Act also applies to systems of records created by government contractors.Id. §552(m). The Privacy Act does not apply to private databases. The Privacy Act prohibits the disclosure of any record maintained in a system of records to any person or agency without the written consent of the record subject, unless the disclosure falls within one of twelve statutory exceptions. The Act allows most individuals to seek access to records about themselves, and requires that personal information in agency files be accurate, complete, relevant, and timely.Id. §552a(e)(5). The subject of a record may challenge the accuracy of information. The Privacy Act requires that when agencies establish or modify a system of records, they publish a “system-of-records notice” in the Federal Register.The Federal Register notice must identify, among other things, the type of data collected, the types of individuals about whom information is collected, the intended “routine” uses of data, and procedures that individuals can use to review and correct personal information. Id. §552e(4). Each agency that maintains a system of records is required to “establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual. . . .”''Id.'' §552a(e)(10). Fair Information Practice Principles The provisions of the Privacy Act are largely based on a set of principles for protecting the privacy and security of personal information, known as the Fair Information Practice Principles, which were first proposed in 1973 by a U.S. government advisory committee.Congress used the committee’s final report as a basis for crafting the Privacy Act of 1974. See U.S. Department of Health, Education and Welfare, Records, Computers and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems (July 1973). These principles, now widely accepted, include: * collection limitation, * data quality, * purpose specification, * use limitation, * security safeguards, * openness, * individual participation, and * accountability. The Act regulates federal government agency record-keeping and disclosure practices, and prohibits the disclosure of any record maintained in a system of records to any person or agency without the written consent of the record subject, unless the disclosure falls within one of twelve statutory exceptions. The Act allows most individuals to seek access to records about themselves, and requires that personal information in agency files be accurate, complete, relevant, and timely.5 U.S.C. § 552a(e)(5). The subject of a record may challenge the accuracy of information. Several provisions of the act require agencies to define and limit themselves to specific predefined purposes. For example, the act requires that to the greatest extent practicable, personal information should be collected directly from the subject individual when it may affect an individual’s rights or benefits under a federal program. The Act also requires that an agency inform individuals whom it asks to supply information of (1) the authority for soliciting the information and whether disclosure of such information is mandatory or voluntary; (2) the principal purposes for which the information is intended to be used; (3) the routine uses that may be made of the information; and (4) the effects on the individual, if any, of not providing the information. This requirement is based on the assumption that individuals should be provided with sufficient information about the request to make a decision about whether to respond. In handling collected information, the Privacy Act also requires agencies to, among other things, allow individuals to (1) review their records (meaning any information pertaining to them that is contained in the system of records), (2) request a copy of their record or information from the system of records, and (3) request corrections in their information. Such provisions can provide a strong incentive for agencies to correct any identified errors. No Secret Database Principle The first requirement of the Act permits an individual to determine what records pertaining to him are collected, maintained, used, or disseminated by such agencies. To this end, agencies are to publish in the Federal Register an annual notice of the existence and character of all systems of records containing personal information, and a notice of any new systems of records or new uses of the information in an existing system. The purpose of this was to ensure that there were no secret systems of records by giving the individual notice of agency record-keeping practices. However, most agree that the Federal Register is not the ideal vehicle for such notice as it is not easily accessible to most people. In “The President’s Annual Report on the Agencies’ Implementation of the Privacy Act of 1974” for calendar years 1982 and 1983, OMB identified the effectiveness of the public notice process as one area for further study, noting that: In 1983, OMB, on the basis of the Congressional Reports Elimination Act of 1982,Pub. L. No. 97-375. eliminated the requirement that agencies republish all of their system notices each year in the Federal Register. The reason offered for this decision was lack of public and congressional interest. OMB viewed agency republication as a duplication of the Federal Register’s annual compilation of Privacy Act notices. OMB estimated that the elimination of this requirement, including its administrative expenses, had saved the government over $1 million.Id. at 10. Additionally, the Privacy Act requires agencies to inform individuals, on an application form or on a separate form that individuals can retain, of the following information: 1) the authority that authorizes the solicitation of the information and whether disclosure of such information is mandatory or voluntary; 2) the principal purpose or purposes for which the information is intended to be used; 3) the routine uses that may be made of the information; and 4) the effects of not providing all or any part of the requested information. Use Limitation Principle The Act requires that an individual be permitted to prevent records pertaining to him obtained by such agencies for a particular purpose from being used or made available for another purpose without his consent. To this end, agencies are to acquire the prior written consent of the individual to whom the record pertains before disclosing a record unless one of twelve exceptions is met. Subsection (b) of the Privacy Act provides that “No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be :1. to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties; :2. required under the Freedom of Information Act; :3. for a routine use as defined in the act; :4. to the Bureau of the Census for planning or carrying out a census or survey or related activity; :5. for statistical research, provided the information is not individually identifiable; :6. to the National Archives and Records Administration for historical preservation purposes; :7. to any government agency (e.g., federal, state, or local) for a civil or criminal law enforcement activity if the head of the agency has made a written request specifying the information desired and the law enforcement activity for which the record is sought; :8. to a person upon showing compelling circumstances affecting the health or safety of an individual if notice is transmitted to the last known address of such individual; :9. to either House of Congress or any committee or subcommittee with related jurisdiction; :10. to the Government Accountability Office; :11. pursuant to a court order; or :12. to a consumer reporting agency for the purpose of collecting a claim of the government.” Yet current laws and guidance impose only modest requirements for describing the purposes for personal information and limiting how it is used. For example, agencies are not required to be specific in formulating purpose descriptions in their public notices. Overly broad specifications of purpose could allow for unnecessarily broad ranges of uses, thus calling into question whether meaningful limitations had been imposed. Alternatives for addressing these issues include setting specific limits on use of information within agencies and requiring agencies to establish formal agreements with external governmental entities before sharing personally identifiable information with them. Additionally, an agency may disclose a record without the consent of the individual if the disclosure would be for a “routine use,” defined as “the use of such record for a purpose which is compatible with the purpose for which it was collected." If an agency intends to disclose personal information for a “routine use,” then it must publish a notice in the Federal Register. This exemption has proved to be quite controversial. In the 1983 Oversight of the Privacy Act Hearings, James Davidson, former counsel to the Senate Subcommittee on Intergovernmental Relations of the Committee on Government Operations, stated that the “routine use” exemption was: Davidson went on to note that this has not been the way that agencies have used the routine use exemption; rather, if agencies had been routinely exchanging information over the years, they have assumed that the routine use exemption allows them to continue. There have been a number of legislative proposals to amend the “routine use" definition. The Privacy Protection Study Commission recommended that, in addition to the requirement that the use of a record be “compatible with the purposes for which it was collected,” the use also be “consistent with the conditions or reasonable expectations of use and disclosure under which the information in the record was provided, collected, or obtained.”Privacy Protection Study Commission, at 120. In the 1982 and 1983 “President’s Annual Report on the Agencies’ Implementation of the Privacy Act of 1974,” problems with the interpretation and implementation of the “routine use” disclosure were identified as Privacy Act issues for further study. The “Annual Report” stated that it would "be useful for the Congress to reconsider this problem and provide clearer guidance on routine use disclosures."The President’s Annual Report,” 1982-1983, at 121. Individual Participation Principle The Act permits an individual to gain access to information pertaining to him in Federal agency records, to have a copy made of all or any portion thereof, and to correct or amend such records. These individual rights are a cornerstone of the Act; however, they have not been used as much as anticipated. Reasons offered include: :1. the time an individual must spend in communicating with an agency; :2. the possible difficulty in adequately identifying personal records for which access is requested; and :3. the lack of public awareness of these rights. The Privacy Protection Study Commission concluded that: An additional reason that this goal has not been realized is that there are seven exemptions to this requirement that are authorized by the Privacy Act itself. In general, these exemptions include those systems of records that include investigatory material compiled for law enforcement purposes or for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment or promotion, military service, Federal contracts, or access to classified material. Also exempt are those systems of records that are maintained in connection with providing protective services to the President or other individuals, and those that are required by statute to be maintained and used solely as statistical records. In the 1979 “Annual Report of the President on the Implementation of the Privacy Act of 1974,” the individual access provisions were described as the “most apparently successful provision of the Act.”Fifth Annual Report of the President on the Implementation of the Privacy Act of 1974,” Calendar Year 1979, at 11 (Aug. 1980). It was reported that since 1977, agencies had recorded over 2 million requests for access and had complied with over 96 percent of the requests. But, the 1979 Annual Report noted that it was not clear whether the access requests were the “direct result of the Act” because of prior procedures by which employees and clients were given access to their records. In the 1982-83 Annual Report, OMB reported that access requests and requests to amend records had declined for most of the agencies with major record holdings. OMB attributed this to the existence of other agency access policies (for example, for personnel records) that are used rather than filing a Privacy Act request.Id. Lawful Purpose Principle The Act requires that federal agencies must collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures that such action is for a necessary and lawful purpose, that the information is current and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of such information. While these requirement is a cornerstone of the Act, federal agencies have loosely construed these requirements and have at times ignored them altogether. The Privacy Protection Study Commission concluded that: In testimony before the House Subcommittee on Government Information, Justice, and Agriculture, John Shattuck, then legislative director for the American Civil Liberties Union, reached a similar conclusion, stating that: The vagueness of the principles contributes to agencies’ practices. The Act does not define, nor does it require agencies to set standards for, such terms as “current” or “necessary.” The Act also does not develop, nor does it require agencies to develop, procedures to ensure “accurate” information or “adequate safeguards . . . to prevent misuse." Exemptions Agencies are allowed to claim exemptions from some of the provisions of the Act if the records are used for certain purposes. Subsections (j) and (k) of the Privacy Act prescribe the circumstances under which exemptions can be claimed and identify the provisions of the Act from which agencies can claim exemptions. When an agency uses the authority in the act to exempt a system of records from certain provisions, it is to issue a rule explaining the reasons for the exemption. Each agency is required to establish “rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of Privacy Act. . . .”''Id.'' §552a(e)(9). Each agency that maintains a system of records is also required to “establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.”''Id.'' §552a(e)(10). Subsection (k) of the Privacy Act permits agencies to claim specific exemptions from seven provisions of the act that relate to notice to an individual concerning the use of personal information, requirements that agencies maintain only relevant and necessary information, and procedures for permitting access to and correction of an individual’s records, when the records are: :1. subject to the exemption for classified information in b(1) of the Freedom of Information Act; :2. certain investigatory material compiled for law enforcement purposes other than material within the scope of a broader category of investigative records compiled for civil or criminal law enforcement purposes addressed in subsection (j); :3. maintained in connection with providing protective services to the President of the United States; :4. required by statute to be maintained and used solely as statistical records; :5. certain investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information; :6. certain testing or examination material used solely to determine individual qualifications for appointment or promotion in the federal service; and :7. certain evaluation material used to determine potential promotion in the armed services. Under these circumstances, agencies may claim exemptions from the provisions of the Act, described in table 5. Subsection (j) provides a broader set of general exemptions, which permits records maintained by the Central Intelligence Agency or certain records maintained by an agency which has enforcement of criminal laws as its principal function to be exempted from any provision of the Act, except those described in table 6. In general, the exemptions for law enforcement purposes are intended to prevent the disclosure of information collected as part of an ongoing investigation that could impair the investigation or allow those under investigation to change their behavior or take other actions to escape prosecution. Implementation The Office of Management and Budget (OMB) was called upon to issue implementing guidance and issued a comprehensive document in July 1975, soon after the passage of the Act.OMB Privacy Act Implementation, Guidelines and Responsibilities, 40 Fed. Reg. 28948, July 9, 1975 (full-text) and                                                                                                                            Supplemental Guidance (full-text.) Application to Government Contractors The Act also applies to systems of records created by government contractors. Subsection (m) of the Privacy Act states: Remedies for Violations of the Act The Act provides legal remedies that permit an individual to seek enforcement of the rights granted under the Act. The individual may bring a civil suit against the agency.A civil action under the Act can only be filed against an "agency,", not against an individual, a government official, an employee, or the United States. See, e.g., Connelly v. Comptroller of the Currency, 876 F.2d 1209, 1215 (5th Cir. 1989). The court may order the agency to amend the individual’s record, enjoin the agency from withholding the individual’s records, and may award actual damages of $1,000 or more to the individual for intentional or wilful violations. Shortly after the breach of the personal data of 26.5 million veterans in 2006 by the Department of Veterans Affairs, veterans groups filed a class-action lawsuit claiming that the U.S. Department of Veterans Affairs “flagrantly disregarded the privacy rights of essentially every man or woman to have worn a United States military uniform.” The plaintiffs alleged violations of the Administrative Procedure Act and the Privacy Act. The lawsuit seeks declaratory and injunctive relief and damages of $1,000 for every person listed in the missing database files. Vietnam Veterans of America, Inc. v. Nicholson, No. 1:06-cv-01038-JR (D. D.C. filed June 6, 2006). Courts may also assess attorneys’ fees and costs. The Act also contains criminal penalties; federal employees who fail to comply with the act’s provisions may be subjected to criminal penalties.5 U.S.C. §552a(i). See Stone v. Defense Investigative Serv., 816 F. Supp. 782, 785 (D.D.C. 1993) ("Under the Privacy Act, this Court has jurisdiction over individually named defendants only for unauthorized disclosure in violation of 5 U.S.C. §552a(i)."). Guidelines and Regulations The Office of Management and Budget (OMB) is required to prescribe guidelines and regulations for the use by agencies in implementing the Act, and provide assistance to and oversight of the implementation of the Act.5 U.S.C. §552a(v); 40 Fed. Reg. 28976 (July 9, 1975). Unfortunately, various studies by the Privacy Protection Study Commission (1977), the U.S. General Accounting Office (1978), and the House Committee on Government Operations (1975 and 1983) all found significant deficiencies in OMB’s oversight of Privacy Act implementation. For example, under the Act, information collected for one purpose should not be used for another purpose without the permission of the individual; however, a major exemption to this requirement is if the information is for a "routine use" — one that is compatible with the purpose for which it was collected. Neither Congress nor OMB has offered guidance on what is an appropriate routine use; hence this has become a catchall exemption permitting a variety of exchanges of federal agency information. Criticism of the Act Soon  after  passage  of the  Act ,  experts  noted  loopholes  in  the  law.    The  Act’s  limitations  have  become  more  significant  with  the  passage  of  time,  as i nformation technology  has  become  more  prevalent  in  the  operation  of  government  programs.   And  while  the  fundamentals  of  the  Act — the  principles  of  fair  information  practices — remain  relevant  and  current,  the  letter  of  the  Act  and  related  law  and  policy  do  not  reflect  the  realities  of  current  technologies  and  do  not  protect  against  many  important  threats to  privacy.   Inattention  by  policymakers  to  the  underlying  problems,  and  relatively  little  White  House  guidance,  has meant  that  privacy  policy  is  left  to  the  individual  agencies.   There  has  been  a  lack  of  government‐wide  direction,  and only  a  few  privacy  leaders  in  key  agencies  have  been  empowered  by  their  internal  leadership  to  fill  the  policy  vacuum.  Moreover,  new  technologies  not  covered  by  the  Act  are  generating  new  questions  and  concerns.   For  example,  the  Federal  government  has  provided  no  guidance on  technologies  that  allow  civilian  government  agencies  to  track  individuals  and  retain  data  about  individuals  by  default. And government use of  private‐sector  databases  now  allows  the  collection and use of detailed personal  information  with  few  privacy  protections.  Because  little  guidance has been provided  to  the  agencies  since  the  Privacy  Act  was  enacted, agency policy and procedure have not adapted to technological change. Application to cybersecurity Some observers argue that the Act should be revised to clarify, in the context of cybersecurity, what is considered PII and how it can be used, such as by explicitly permitting the sharing among federal agencies — or with appropriate third parties such as owners and operators of critical infrastructure — of certain information, such as a computer’s Internet Protocol (IP) address, in examinations of threats, vulnerabilities, and attacks. The Act contains some exemptions, such as for law enforcement activities5 U.S.C. §552a(b)(7). and duties of the Comptroller General5 U.S.C. §552a(b)(10)., but none relating specifically to cybersecurity. However, other observers may argue that the provisions in the Act are sufficient to permit necessary cybersecurity activities, and that revising the Act to provide additional authorities relating to cybersecurity could compromise the protections provided by the Act. References Source * Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, at 21. See also * Implementation of the Privacy Act of 1974, Supplemental Guidance * OMB Circular No. A-108 * OMB Privacy Act Guidance-Update * Overview of the Privacy Act of 1974 * Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping. Category:Legislation Category:Legislation-U.S.-Federal Category:Legislation-U.S.-Privacy Category:Privacy